I'd like to implement 2 factor authentication using radius along with an internal CA. The idea is everyone connecting to vpn belong to a group and have a certificate obtained by an internal CA. I though mutual group authentication might be the answer, but am not sure. I tried it, I installed a CA cert and Idnentity cert, but when trying to use the vpn client and mutual group authentication the client I can't connect. The ASA reports "removing peer...no match". On the PC I'm using to test, I've installed both a user certificate and root certificate from the CA.
I saw some notes that pointed toward using 2 factor authentication on SSL VPNs, but am not sure that's what I want. I currently have SSL VPN in place to allow users who don't have a client get connected, typically machines that would never see the internal network and be able to obtain a certificate from an active directory integrated CA. Is what I'm trying possible?
Here is a sample configuration on ipsec vpn client with certificate authentication, and from the example, it uses ASA local database for the extended authentication, but you can always configure aaa radius server, and assigned the radius server to the policy: